(12) United States Patent 

Weiss et al. 



US006364769B1 

(io) Patent No.: US 6,364,769 Bl 
(45) Date of Patent: *Apr. 2, 2002 



(54) GAMING DEVICE SECURITY SYSTEM: 
APPARATUS AND METHOD 

(75) Inventors: Steven A. Weiss; Rex R. Carlson, both 
of Las Vegas, NV (US) 

(73) Assignee: Casino Data Systems, Las Vegas, NV 
(US) 

( * ) Notice: Subject to any disclaimer, the term of this 
patent is extended or adjusted under 35 
U.S.C. 154(b) byO days. 

This patent is subject to a terminal dis- 
claimer. 

(21) Appl. No.: 09/577,016 

(22) Filed: May 22, 2000 

Related U.S. Application Data 

(63) Continuation of application No. 08/861,092, filed on May 
21, 1997, now Pat. No. 6,071,190. 

(51) Int. CI. 7 A63F 13/00 

(52) U.S. CI 463/29; 463/25; 463/16; 

463/42 

(58) Field of Search 463/16, 20, 25, 

463/29, 40-43 

(56) References Cited 

U.S. PATENT DOCUMENTS 



4,200,770 A 
4,405,829 A 
4,467,424 
4,636,951 
4,764,666 
4,882,473 
5,119,295 



4/1980 Hellmanetal. 

9/1983 Rivcstetal. 

8/1984 Hedges et al. 

1/1987 Harlick 

8/1988 Bergeron 

11/1989 Bergeron et al. 

6/1992 Kapur 



5,398,932 


A 




3/1995 


Eberhardt et al. 




5,429,361 


A 




7/1995 


Raven et al. 




5,47U,079 


A 




11/1995 


LeStrangc et al. 




5,476,259 


A 




12/1995 


Weingardt 




5,489,095 


A 




2/1996 


Goudard et al. 




5,517,502 


A 


* 


5/1996 


Bestler et al 


.... 370/94.2 


5,542,669 


A 


* 


8/1 996 






5,583,562 


A 


* 


12/1996 


Birch et al 


, .. 348/12 


5,586,937 


A 


+ 


12/1996 




463/41 


5,611,730 


A 




3/1997 


Weiss 




5,643,086 


A 




7/1997 


Alcorn et al. 




5,655,961 


A 




8/1997 


Acres et al. 




5,668,950 


A 




9/1997 


Kikuchi et al. 




5,768,382 


A 




6/1998 


Schneicr et al. 




5,770,533 


A 




6/1998 


Franchi 




5,894,556 


A 




4/1999 




463/42 


5,903,652 


A 


* 


5/1999 


Mital 


380/25 


6,042,477 


A 


* 


3/2000 


Addink 


463/42 


6,099,408 


A 




8/2000 


Schneier el al 


463/29 


* cited by examiner 









Primary Examiner — Valencia Martin-Wallace 

Assistant Examiner — John M Hotaling, II 

(74) Attorney, Agent, or Firm — Bernhard Kreten 



(57) 



ABSTRACT 



Agaming device security system is disclosed which includes 
two processing areas linked together and communicating 
critical gaming functions via a security protocol wherein 
each transmitted gaming function includes a specific 
encrypted signature to be decoded and validated before 
being processed by either processing area. The two process- 
ing areas include a first processing area having a dynamic 
RAM and an open architecture design which is expandable 
without interfering or accessing critical gaming functions 
and a second "secure" processing area having a non- 
alterable memory for the storage of critical gaming functions 
therein. 

28 Claims, 8 Drawing Sheets 



ASWCUTK) 
EGUtPMIMT 



UTTOY 
MOSS 



I 1 -1 



VUUVMOU 
GMI1N0 

►tocstso* 



KtlWU 

mow* 

MEDM 



CXTIMKM. KWCf 
VMKMI0N PIOCU1 
KMTSUMOOUI 

luxnacm 
ovum 



05/06/2004, EAST Version: 1.4.1 



U.S. Patent 



Apr. 2, 2002 Sheet 1 of 8 



US 6,364,769 Bl 




^58 



ELECTRO 
MECHANICAL 
METERS 



52 



COIN 
ACCEPTOR 



c54 



BILL 
VALIDATOR 



56 



HOPPER 



120 



GAMING 
ASSOCIATED 
EQUIPMENT 



1 



50 



DISPLAY 
DEVICE 



60 



PROCESSOR 

£L 



WATCHDOG 
CIRCUIT 



62 



RANDON 
NUMBER 
GENERATOR 



^64 



ACCOUNTING 
AND LOG 



1 



66 



STATIC/ 
BATTERY 
BACKED 
RAM 



68 



EPROM 



30 



SERIAL 
LINK 



r70 



EXTERNAL PROGRAM 
VALIDATION DEVICE 



1 



72 



EXTERNAL DEVICE 
VALIDATION PROCESS 
FOR SUSPICIOUS 
JACKPOTS OR 
DISPUTES 



20 



INTERACTIVE 
MULTI-MEDIA 

GAMING 
PROCESSOR 



24 



INTERNAL 
ALTERABLE 
PROGRAM 
STORAGE 
MEDIA 





, ,26 


DYNAMIC 
RAM 



Fig. 1 



1 



140 



REMOTE 
COMPUTER 



05/06/2004, EAST Version: 1.4.1 



U.S. Patent Apr. 2, 2002 Sheet 2 of 8 US 6,364,769 Bl 




05/06/2004, EAST Version: 1.4.1 



U.S. Patent Apr. 2, 2002 Sheet 3 of 8 US 6,364,769 Bl 



BLACK BOX FLOW DIAGRAM FOR TYPICAL GAME SEQUENCE 



START 




DETERMINE GAME OUTCOME, INCREMENT All METERS 
SEND GAME OUTCOME TO WHIT E BOX 

SENO QUERY FOR END OF CAME DISMAY SEQUENCE 



Fig. 3 




UPDATE SECONDARY DISPLAY 



05/06/2004, EAST Version: 1.4.1 



U.S. Patent Apr. 2, 2002 Sheet 4 of 8 US 6,364,769 Bl 



TYPICAL POLL PROCESSING LOGIC 
BLACK BOX SIDE 

INCREMENT MESSAGE 
SEQUENCE NUMBER 
RESET RETRY COUNT 



BUILD MESSAGE | 



TRANSMIT MESSAGE 



START MESSAGE TIMER, 
START BYTE TIMER 




DONE 



05/06/2004, EAST Version: 1.4.1 



U.S. Patent Apr. 2, 2002 Sheet 5 of 8 US 6,364,769 Bl 

TYPICAL POLL PROCESSING LOGIC 
WHITE BOX SIDE 



START 




SEND NEGATIVE 
ACKNOWLEDGE 



PROCESS MESSAGE 
CONSTRUCT RESPONSE 

1 

SEND RESPONSE 



Fig. 5 



05/06/2004, EAST Version: 1.4.1 



U.S. Patent 



Apr. 2, 2002 



Sheet 6 of 8 



US 6,364,769 Bl 







in 


TC 




UJ 


LTi 




cn 


ui 




as 


z 


LlJ 


o 


t— 




z 


1 


Q_ 






CA 


CD' 



°5 

—I ^2 





to 






>•» 








CO 

LlJ 






ZD 


1 


CD 


ex. 


Q_ 


Z 


=> 
to 


o 


CO 




— 

AN 




Q_ 


O 


X 






A 



0= X, 



CO 



v 



LlJ -< 





C3 
















O 






Li- 


AC 














>- 










ING 








LU 




z 


3E 




=> 




LlJ 






Q 








CJ 


o 


-a: 


z 




z 










AR 






CJ 






CO 






CO 




05/06/2004, EAST Version: 1.4.1 



U.S. Patent 



Apr. 2, 2002 



Sheet 7 of 8 



US 6,364,769 Bl 



MONITOR 


50 






VIDEO CARD 
VIDEO MEMORY 


250 


l \*» 



PROCESSOR BOARD 
MEMORY; ROM, RAM, FLASH, E 2 
COMMUNICATIONS HANDLER 
DISPLAY OUTPUT GENERATOR 
SOUND OUTPUT GENERATOR 



254 



HARD 
DRIVE(S) 



256 



CD-ROM(S) 



22 



258 



NETWORK 
INTERFACE 



260 




VOCARD 
PARALLEL 
SERIAL 



^ P ARALLE L PORT ^ 
SERIAL 



60 

GAMING DEVICE 
(BLACK BOX) 




20 




Fig. 7 



05/06/2004, EAST Version: 1.4.1 



U.S. Patent Apr. 2, 2002 Sheet 8 of 8 



US 6,364,769 Bl 




READ/ 
WRITE 
MACHINE 
INTERFACE 



122 



Fig. 8 



05/06/2004, EAST Version: 1.4.1 



US 6,364,769 Bl 



GAMING DEVICE SECURITY SYSTEM: 
APPARATUS AND METHOD 

This application is a continuation of Ser. No. 08/861,092 
filed May 21, 1997 now U.S. Pat. No. 6,071,190. 

FIELD OF THE INVENTION 

The present invention relates generally to gaming devices, 
and in particular, to an advanced video and slot gaming 
device security system having dual processing areas with a 
master/slave relationship wherein the master includes a 
secure processing area including critical gaming functions 
stored and executed from a non-alterable media by the 
secure processing area while allowing the slave processing 
area to have an open architecture which is expandable 
without compromising critical gaming functions and retain- 
ing the ability for regulatory validation of the secure pro- 
cessing area of the system. 

BACKGROUND OF THE INVENTION 

Traditional gaming devices are based around a simple 
processor unit including a random number generator, an 
accounting means operatively coupled to a static/battery 
backed random access memory, and an EPROM having 
stored therein the important gaming functions. In addition, 
these gaming devices include gaming displays, coin 
acceptors, bill validators and hoppers operatively coupled to 
the simple processor. These gaming devices are relatively 
simple and limited in scope, usually consisting of a single 
executing program utilizing straight forward interrupt 
schemes and detection loops for asynchronous events for 
simple evaluation. It is also a simple matter of operatively 
coupling an external program validation device to the 
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correlation is time and resource prohibited. The multi- 
threaded/multi-tasking process nature of the programs in 
these devices make it extremely difficult to locate any 
compromising code which becomes clandestine since the 
actual sequence of the execution is hidden to the evaluating 
engineer. Furthermore, the code set for a complex PC device 
may not be fully embraced by the evaluating engineer. 

The significant reduction of risk for detection in compro- 
mising the more complex code is an invitation to inside 
compromise by device designers. Further, PC based devices 
are simply not field verifiable, rendering any gaming juris- 
diction's device inspection program or any other field vali- 
dation effort useless for this gaming equipment. For 
example, the device must be essentially disassembled so that 
all BIOS EPROMs and any other software located in periph- 
eral devices may be inspected. If CD ROMs or disk drives 
are used, these must also be read and verified, requiring a 
significant amount of time. A thorough inspection program 
will, of necessity, be extended in scope to include hardware 
since the device must be searched for approved peripherals 
that may modify the source code execution and function of 
the game. Hardware inspections are not easily defined, 
requiring a high level of technical skill for field personnel. 
Even if this capability is provided, each inspection will be 
time intensive thereby significantly reducing the effective- 
ness of any inspection program. 

Even with these efforts, validation will not be absolute. 
Regardless of the extent of the inspection, it is impossible to 
guarantee that an approved program is actually executing 
from dynamic RAM. Large jackpot validations by the casino 
are also out of the question for the same reason. This is a 
result of the fact that programs executing in dynamic RAM 
are self modifiable and extremely difficult to extract from an 



EPROM for providing effective regulatory validation of operating device. The dynamic RAM only exists in an active 
critical gaming functions to preclude unauthorized tamper- operating context; therefore it is impossible to be sure of an 
ing or modification of the gaming machine through soft- 



ware. In addition, an external device validation process for 
suspicious jackpots or disputes may be validated by simply 
reading the static/battery backed random access memory 
associated with the simple processor. Furthermore, software 
developers in the gaming industry are hesitant to include 
compromising code in traditional gaming devices due to the 
ease of both internal and regulatory review. 

Currently, most casinos protect their large jackpots by 
sealing the EPROM devices containing critical code for 
game functions with serialized tape, and validating the code 
contents against a standard after a large win. 

Today's trend in gaming devices is towards an increasing 
utilization of personal computer based gaming platforms. 
Personal computer based platforms are being employed by 
designers to make use of real time operating systems which 
allow for mulli-threaded/mulli-tasking processes and the use 
of many "off the shelf device drivers. While at first, this 
may seem an advantage, it is not a wise choice in an 
environment requiring high security and regulatory moni- 
toring. Designs of this nature elude validation by regulatory 
authorities in two areas, initial laboratory evaluation and 
field validation. Any in depth review of a PC based gaming 
device is both difficult and far from definitive, requiring 
tremendous engineering resources and specialist in com- 
puter security which are expensive and normally available 
only on a consultant basis. Even if these resources were 
available, it is impossible to study the hundreds of thousands 
of lines of source code comprising all of the elements of 
such a system. In addition, the time involved in just learning 
how to build the executable code from the source for 
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accurate program validation during an evaluation to resolve 
questionable operation or a patron dispute. 

At a time when regulatory goals should be to enhance slot 
machine security to protect the integrity of gaming, the 
introduction of these types of devices is an antithesis. These 
devices are an invitation to highly technical and non- 
detectable compromise by experts. At first, it may seem 
restrictive to prevent this type of design by regulation. 
However, multi media capabilities which can be offered via 
today's high technology can provide a very marketable 
scheme to patrons, therefore, alternative designs must be 
considered to provide these features in a responsible manner. 

Therefore, a need exists for an independent secured 
processor design for validation which would provide all key 
functions such as the determination of game outcome, 
monetary input, output, and logging of relevant events. 
Furthermore, a need exists for an open architecture design, 
for example, a personal computer based design of the 
gaming device which would provide all shell functions of 
presenting the game environment and thus providing a 
substantial entertainment component of the gaming device. 
Therefore, even though compromise is still possible at the 
shell level, evidence of what should have occurred is recov- 
erable from the specially designed secured processor. 

SUMMARY OF THE INVENTION 

The present invention is distinguished over the known 
prior art in a multiplicity of ways. For one thing, the present 
invention provides a video and slot gaming device security 
system including two processing areas linked together via a 
secure protocol. In addition, the present invention includes 
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a non-alterable storage media having gaming critical recent game. This log is to be mainlained in tact for a 

functions, at a minimum, stored therein and executed from predetermined minimum period of time and after a power 

the non- alterable media by one of the two processing areas. loss to the gaming device. 

The other processing area of the present invention includes Furthermore, critical gaming functions may be partitioned 

an open architecture design which is expandable without s f rom othc r functions by executing critical gaming functions 

compromising the critical gaming functions. Thus, the Qn a te dedicated ^ an£) ^ the 

present invention encourages innovations of gaming devices , . : . . / t ,. , , , ... , 

■<i . a .„: ,k«. „r i„*„„, „„„i, devices hardware so that the functions not deemed critical 

without reducing the etiectiveness ot regulatory evaluation ... , . , - 

and validation processes of the critical gaming functions. whK * «« ^ted or executed from alterable media are not 

Furthermore, the present invention allows for correlating lfl ca P* bl K c of directly modifying the random access memory 

true game results and monetary transactions to player pre- 10 used b J *e "Hical gaming functions^ Any component 

sentaUon under suspicious circumstances, even if the open to te ro f olled ft f * amin S 

,„u ( „^.,.«, „„„ - t „ aA - tU functions are preferably not accessible by other functions 

architecture processing area is tampered with. . j , , L , j- ™. 

* j r . L , . ■ , j . stored or executed from alterable media. Thus, the non- 

In one preferred form, the present invention includes at . . . . . ... , • c t - 

. , r j/ i . • j - pti • alterable media containing the critical gaming functions is 

least one video and/or slot gaming device, ine gaming 35 easily verifiable 

as to content independent of any function of 

device is based around the secure processing area which J . , . . 

. , , , . , v the gaming device itself, 
includes a random number generator, an accounting and log 

means operatively coupled to a static or non-volatile random OBJECTS OF THE INVENTION 
access memory and an EPROM having stored therein the 

critical gaming functions. Preferably, a coin acceptor, a bill 2Q Accordingly, it is an object of the present invention to 

validator and a hopper are operatively coupled to the secured provide a new and novel gaming device security system: 

processing area. In addition, the present invention includes apparatus and method. 

the open architecture processing area linked to the secure A further object of the present invention is to provide a 
processing area and communicating therewith via the secure gaming device security system as characterized above which 
protocol. Furthermore, a display means is operatively ^ includes two processing areas wherein a second processing 
coupled to a visual display for displaying, inter alia, random area is sequestered for securing critical gaming functions 
outcomes. and a first processing area is of an open architecture design 
The open architecture design includes an internal alterable expandable without any interference or access to the critical 
program storage media operatively coupled to a dynamic gaming functions stored within the second processing area, 
ram. Thus, the open architecture processing area allows for 30 Another further object of the present invention is to 
the storage of, inter alia, interactive multi media gaming provide a system as characterized above which provides a 
functions. security link operatively coupled between the first process- 
In one scenario, at least one gaming device is actuated by ing area and the second processing area for transmitting 
inserting a coin in the coin acceptor or a bill in the bill encrypted data correlative to critical gaming functions 
validator. Gaming activity is then initiated by the player and 35 between the second processing area and the first processing 
a gaming outcome is influenced by the random number area. 

generator. The gaming outcome is then transmitted to the Another further object of the present invention is to 

open architecture processing area to be animated on the pr0 vide a gaming device security system as characterized 

visual display operatively coupled to the open architecture a5ove which mc i udes an accessible access means for cou- 

processing area. If the gaming outcome is a winning out- ao pHng an externa i pr0 g ra m validation device to an electroni- 

come the secure processor communicates with or drives the ca i ]y programmable read only memory included in the 

hopper so that a player winning on the gaming device can second processing area. 

receive money back from a dispensing tray. Alternatively, ^ of ^ ( . & ^ 

the secure processing area may be provided with means to e a ^ ^ £ ^ characterized 

bestow credits as a function of the random gaming outcome. 45 r , ° . ° .,, f 

. 6 . . above which includes an accessible access means for op era - 

The critical gaming functions of the present invention are ^ coupling an ext ernal device va]ida ti on proC ess means 

stored in and executed directly from a media which is not to astatic/battery backed random access memory included in 

alterable through any use of circuitry or programming of Che ^ second processing area for validating suspicious jackpots 

gaming device itself and are verifiable as to content inde- and/or disputes 

pendent of any function of the gaming device. Critical 50 iL . ' - , . . . , 
r . -.if • . Another further object of the present invention is to 
gaming functions include a unique control 01, or any inter- . , , . .. r , _ . . . . 
& A . t . 1C ^ ,j- . provide a gaming device security system as characterized 
ruption of signals from a component involved in a monetary r , , & , , A _ . ,. 
. • 1 j- • . ij . above which precludes counterfeiting, tampering or modi- 
transaction, including, coin acceptors, bill validators, _ . . . - . ' 0 , . 
, . . _r . Li - , „ * . * ncation of cntical gaming functions including random out- 
hoppers, interlaces to cashless wagenng systems, associated , • t c ■ 1* 

. - . j . ° . / . „ comes and accounting logs ot gaming results, 

equipment used in the determination or a progressive or 55 ... 

bonus award value or any device which provides for the Another wrtbcr ob J ect of thc P Icscnt invention is to 

input or collection of credits, wagers or awards. In addition, P r0Vldc a gaming device security system as characterized 

critical gaming functions also include all accounting func- abovc * hic ; h ca t n bc operatively coupled to an external 

lions including the direct and unique control of electrome- source for downloading software into the gaming dev.ee. 

chanical and electronically stored meters, and the result of 60 Another further object of the present invention is to 

the random number generator utilized in determining game provide a gaming device security system as characterized 

outcome. Furthermore, critical gaming functions include a above which includes a visual display for displaying 

unique control over a storage and retrieval of a historical log decrypted random gaming outcome from the first processing 

documenting credits, wagers, award transactions, random «ea which has been transmitted thereto in an encrypted 

values used in determining game outcome and any security 65 form by the second processing area via a security protocol. 

or error events for the most recent game player or games in Another further object of the present invention is to 

progress and a plurality of games prior to the current or most provide a gaming device security system as characterized 
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above including a non-alterable memory means for storing 
critical gaming functions therein. 

Another further object of the present invention is to 
provide a gaming device security system as characterized 
above which includes a security protocol for transmitting all 5 
critical gaming functions over a link coupling the first 
processing area with the second processing area. 

"Viewed from a first vantage point, it is an object of the 
present invention to provide a gaming machine comprising, 
in combination: a first processor having a visual display and 10 
a communication interface; a second processor sending 
communicating data with the first processor via the com- 
municating interface, the second processor having means for 
sensing wagering activity and means for transmitting a 
random gaming outcome to the first processor to be ani- 15 
mated on the visual display, the second processor provided 
with means to bestow credits as a function of the random 
gaming outcome. 

Viewed from a second vantage point, it is an object of the 
present invention to provide a method for providing gaming 
security, the steps including; sequestering gaming functions 
into two processing areas, and linking the two processing 
areas via a security protocol. 

Viewed from a third vantage point, it is an object of the ^ 
present invention to provide a gaming device security sys- 
tem operatively coupled to at least one gaming machine, the 
system comprising in combination: a first processing means 
operatively coupled to and driving a visual display; a second 
processing means operatively coupled to the first processing 3Q 
means and communicating therewith via a secure protocol; 
a plurality of inputs enabled by a player allowing the player 
to initiate and sustain game play on at least the one gaming 
machine; the second processing means including means for 
determining random outcomes of game play and means for 3S 
transmitting the outcomes to the first processing means for 
updating the visual display; a player memory card including 
memory storage means on the card removable from and 
accessible by to the second processing means to upload and 
download information between the second processing 4Q 
means and the player memory card reflective of status of an 
ongoing game. 

Viewed from a fourth vantage point, it is an object of the 
present invention to provide a gaming device security 
system, comprising in combination: a first processor; a 45 
second processor including a non-alterable memory means 
for storing critical gaming functions therein; a communica- 
tion link operatively coupled to the first processor and the 
second processor for transmitting encrypted data packets 
correlative of the critical gaming functions and outcomes. 50 

These and other objects will be made manifest when 
considering the following detailed specification when taken 
in conjunction with the appended drawing figures. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a schematic depiction of the present invention 
according to one form. 

FIG. 2 is a plan front view of a gaming machine. 

FIG. 3 is a flow chart of a method according to one form 
of the present invention of a typical game sequence of the fi0 
second processing area. 

FIG. 4 is a flow chart of a typical poll processing logic 
method of the first processing area according to one form of 
the present invention. 

FIG. 5 is a flow chart of typical poll processing logic 65 
method of the second processing area according to one form 
of the present invention. 



769 Bl 

6 

FIG. 6 is a detailed block diagram of the second process- 
ing area according to one form of the present. 

FIG. 7 is a detailed block diagram of a first processing 
area according to one form of the present. 

FIG. 8 is a drawing reflecting the interaction between a 
player memory card and a source of uploading and down- 
loading. 

DESCRIPTION OF PREFERRED 
EMBODIMENTS 

Considering the drawings, wherein like reference numer- 
als denote like parts throughout the various drawing figures, 
reference numeral 10 is directed to the gaming device 
security system according to the present invention. 

In its essence, and referring to FIGS. 1 and 2, the gaming 
device security system 10 is preferably housed within a 
gaming device 100 which may lake the form of, for example, 
a video and/or a mechanical reel type slot machine. The 
gaming device security system 10 includes a first processing 
area 20 and a second processing area 60 operatively coupled 
to one another via a communication link 30. The commu- 
nication link 30 provides the means for transmitting 
encrypted data, correlative to critical gaming functions, 
between the second processing area 60 and the first process- 
ing area 20, The first processing area 20 is operatively 
coupled to a visual display 50 for displaying, inter alia, 
gaming graphics and random gaming outcomes. The second 
processing area 60 of the system 10 includes means for 
sensing wagering activity and means for transmitting the 
random gaming outcomes to the first processing area 20 
such that the outcome is animated on the visual display 50. 
In addition, the second processing area 60 includes means to 
bestow credits and/or monitory awards as a function of the 
random gaming outcome. Furthermore, the second process- 
ing area 60 can be directly accessed for validating the 
outcome of any game and the outcome can be displayed on 
the visual display 50, on an LCD display 55 or presented 
visually or audibly or any other peripheral. 

More specifically, and referring to FIGS. 1 and 2, the 
gaming device security system 10 is operatively coupled to 
at least one video and/or slot gaming device 100. FIG. 2 
shows an example of a video slot device 100 supporting the 
visual display 50 and including the coin acceptor 52, the bill 
validator 54, a cash out button 102, a service button 104, a 
bet one button 106, a display of features button 108 having 
scroll buttons 110, 112 disposed on either side, a spin reel 
button 114 and a play max button 116. In addition, the video 
slot device 100 includes a card reader 122, a card reader 
display 120 and a manual eject button 124. 

The gaming device 100 is founded on the first and second 
processing areas 20, 60 linked together via a secure protocol. 
The first processing area 20 is of an open architecture design 
which includes an internal alterable program storage media 
24 operatively coupled to a dynamic RAM means 26. Thus, 
the open architecture design of the first processing area 20 
allows for the storage of, inter alia, interactive multi-media 
gaming functions. In addition, the first processing area 20 
may be operatively coupled to an external source, for 
example, a remote computer 140 for downloading software 
into the gaming device 100 with out having access to or 
interfering with critical gaming functions stored in the 
second processing area 60. In addition, the first processing 
area 20 is operatively coupled to a visual display 50 for 
providing visual feedback to a gaming player. 

The second processing area 60 is a secure processing area 
which includes, a watchdog circuit 61, a random number 
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generator 62, an accounting and log means 64 operatively More specifically, and referring to FIG. 3, the first pro- 
coupled to a static or non-volatile random access memory 66 cessing area 20 may be referred to as a white box while the 
and an electronically programmable read only memory 68 second processing area 60 may be referred to as a black box. 
having stored therein the critical gaming functions. The With this terminology in mind one method of a typical game 
second processing area 60 is operatively coupled to the 5 sequence with respect to the black box can be explored, 
visual display 50, a coin acceptor 52, a bill validator 54, a Initially, a player places funds into the gaming device 100 
hopper 56 and electro-mechanical meters 58 which are via the coin acceptor 52, bill validator 54 or by inserting a 
preferably supported by the gaming device 100. In addition, card into a card reader 122. The player further interacts with 
the second processing area is coupled to associated gaming the gaming device 100 by placing a bet by actuating the bet 
equipment 120 used in the determination of a progressive or JQ one button 106, placing a max bet by actuating the play max 
bonus award value. The second processing area 60 is linked button 116, actuating game play via, for example pushing 
to the first processing area 20 with a communication link 30 me spin ree] bulton 114 or inserting further funds into the 
which provides the link for transmitting data via the security naming device 100 

protocol thereby precluding any alteration of the critical 0 If a bet fe ^ passing area 60 deter- 

gaming nc 10ns. . -,, mines if the number of credits is greater than zero and if so 

The critical gaming functions are .stored in . and executed increments the amount and decrements the credils 

directly from the read only memory 68 which is not alterable £ f 

through any use or circuitry or programming 01 the gaming • / \_ c * • ™ . . 1 * 

devici 100 itself and are verifiable ts to content independent ^^mitted to the first processing area 20 or white box in an 

of any function of the gaming device 100. encrypted format such that the white box can update the 

Critical gaming functions preferably include a unique JO visua display means 50. Once this transmission has been 

control of, or any interruption of signals from a component completed the second processing area or black box deter- 

involved in a monetary transaction, including, coin mines whclhcr the wa 5 cr amount 15 c 1 ual t0 a P rc * 

acceptors, bill validators, hoppers, interfaces to cashless determined max bet amount. If the wager amount is equal to 

wagering systems, associated equipment used in the deter- the max bet amount the black box determines the game 

mination of a progressive or bonus award value or any 25 outcome and increments all meters associated therewith, 

device which provides for the input or collection of credits, This game outcome is then transmitted in an encrypted form 

wagers or awards. In addition, critical gaming functions also via the communication link 30 to the first processing areas 

include all accounting functions including the direct and 20 or between the black and white box. Once the outcome 

unique control of electromechanical and electronically has been transmitted to the white box a query for an end of 

stored meters, and the result of the random number genera tor 30 game display sequence is sent to the white box and this 

utilized in determining game outcome. Furthermore, critical transmission continues until the display sequence is com- 

gaming functions include a unique control over a storage plete. Once the display sequence is complete the visual 

and retrieval of a historical log documenting credits, wagers, display is updated accordingly, the game sequence loops 

award transactions, random values used in determining back to a subsequent start of game, 

game outcome and any security or error events for the most 35 Alternatively, if a max bet means is initially actuated, the 

recent game player or games in progress and a plurality of second processing area 60 determines if the number of 

games prior to the current or most recent game. This log is credits the player has is greater than or equal to the pre- 

to be maintained in tact for a predetermined minimum determined amount of the max bet. If the player does not 

period of time and after a power loss to the gaming device. have enough credits to cover the max bet the black box 

Furthermore, critical gaming functions are partitioned 40 remains at the start of the game sequence, If the player has 

from other functions by executing critical gaming functions enough credils to cover the max bet the wager amount is 

on the second processing area 60. Functions not deemed incremented while the player's credit amount is decre- 

critical may be stored or executed from the alterable media menled. The amount of the wager is then transmitted to the 

24 which is not capable of directly modifying the random first processing area 20 or white box in an encrypted format 

access memory 66 or the electronically programmable read 45 via the communication link 30. The first processing area 20 

only memory 68 used by the critical gaming functions. Any then updates the visual display 50 accordingly. The game 

component required to be uniquely controlled by the critical outcome is then determined and all meters associated with 

gaming functions are preferably not accessible by other the gaming device 100 are incremented if necessary. This 

functions stored or executed from the alterable media 24. game outcome is then transmitted in an encrypted form via 

Thus, the non-alterable media containing the critical gaming so the communication link 30 to the first processing area 20 or 

functions is easily verifiable as to content independent of between the black and white box and the white box then 

any function of the gaming device 100 itself. updates the visual display means 50. Once the game out- 

In general, the gaming device 100 is actuated by, for come has been determined and displayed a query for an end 

example, inserting a coin in the coin acceptor 52 or a bill in of game display sequence is looped into action and dis- 

the bill validator 54. Gaming activity is then initiated by the 55 played on the visual display 50 until the display sequence is 

player and a gaming outcome is influenced by the random complete. Once the display sequence is complete the visual 

number generator 62. The gaming outcome is then display is updated accordingly and the game sequence loops 

transmitted, via the secure protocol, to the open architecture back to a subsequent start of game, 

processing area 20 and animated on the visual display 50. If At the start of any game sequence the player has the 

the gaming outcome is a winning outcome the second 60 option of actuating game play by, for example, pushing a 

processing area 60 communicates with or drives the hopper spin or draw button which will result in the black box 

56 so that a player winning on the gaming device 100 can determining the outcome of the game if the player has placed 

receive money back from a dispensing tray 48. Alternatively, a wager amount which is greater than zero. If the player has 

the secure processing area may be provided with means to not placed a wager the black box will remain in the start of 

bestow credits as a function of the random gaming outcome. 65 the game sequence. However, if the player has placed a 

The credits are preferably displayed to the player via the wager the outcome of the game is determined and then 

display 50. transmitted to the white box in an encrypted form via the 
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communication link 30. Once again a query for end of game 
display sequence is looped into action and displayed on the 
display 50 until the sequence is completed and then subse- 
quently the visual display 50 is updated and a new start of 
game sequence is initiated. 

Initially inserting funds into the gaming device 100 causes 
the wager amount to be incremented and transmitted to the 
white box in an encrypted form such that the white box will 
update the visual display 50. Inserting further funds into the 
gaming device 100 without actuating a bet, max bel or game 
play option will cause this process to continue until the 
insertion of funds has equaled the max bet amount. When 
this occurs the game is actuated and the outcome is deter- 
mined. This outcome increments all associated gaming 
meters and is sent to the white box in an encrypted form 
which in turn initiates the query for the end of game display 
sequence to be initiated on the visual display 50. This 
continues until the display sequence is complete. Once the 
display sequence is completed the visual display is updated 
and the start of game sequence is initiated. 

FIGS. 4 and 5 detail a poll processing logic method 
between the black box side and the white box side, the two 
processing areas 20, 60, of the system 10. 

Referring to FIG. 4, when a message is be sent from the 
black box to the white box the black box increments a 
message sequence number and resets a retry counter 
included in the second processing area 60. Next, the black 
box 60 builds an encrypted message and transmits this 
message via the communication link 30. In addition, the 
black box starts a message timer and a byte timer included 
in the second processing area 60. 

Meanwhile, and referring to FIG. 5, the white box 20 tests 
for incoming data words. When an incoming data word is 
found the white box decrypts the transmitted message and 
builds a message packet. The white box continues to receive 
the incoming data word and decrypts and builds the message 
packet until the message packet is complete. Once the 
message packet is complete the white box determines if the 
decrypted message packet is valid and if so then discerns 
whether the message itself is of a valid type. Once the white 
box has validated the message packet and determined that 
the message is a valid one it processes the message and 
constructs a response. The response is encrypted and sent 
back to the black box side. Alternatively, if the white box 
determines that the packet is invalid or that the message type 
of the packet is invalid it sends a negative acknowledgment 
to the black box side. 

Referring back to FIG. 4, The black box determines if the 
while box is sending a response in the form of an incoming 
data word. If the black box discerns that the white box is 
sending a data word the black box receives the data word 
and restarts the byte timer. The black box then decrypts the 
data word and starts to build a message packet. The black 
box will check this message packet and if the message 
packet is incomplete it will continue to receive the incoming 55 
data word from the white box and will restart the byte timer 
after each check of the message packet. This continues until 
the message packet is complete. Once the message packet is 
complete the black box discerns whether a negative 
acknowledge message has been sent by the white box and if $n 
a negative acknowledge message has not been sent by the 
white box the black box discerns whether the packet is a 
valid packet and also discerns whether the packet contains a 
valid message type. If both criteria are met the transmission 
of the response is complete. 

Alternatively, if the message packet built by the black box 
is not a valid packet or if the message type within the packet 
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is not valid, the black box will increment the retry counter 
and re transmit the original message to the white box. As 
long as each incoming message packet built by the black box 
is not a valid packet or if the message type within the packet 
is not valid message the black box will increment the retry 
counter and re transmit the original message to the while box 
until the retry counter has a value which is greater than a 
maximum allowable value. Once the maximum allowable 
value of the retry has been obtained an error message will be 
displayed on the visual display and once again a commu- 
nication error process will be initiated. 

Alternatively, if the incoming data word from the white 
box to the black is a negative acknowledge message the 
black box will continue to increment the retry counter and re 
transmit the message until the retry counter is greater than a 
maximum allowable value. Once the retry counter reaches a 
value which is greater than maximum allowable value an 
error condition is displayed on the visual display and system 
10 initiates a communication error process to discern why 
the negative acknowledge message is being sent, 

If the response from the white box is not an incoming data 
word and a message timer and a byte timer is less than 
predetermined values the black box will continue to poll for 
an incoming word. If the black box is receiving a response 
from a white box which is not an incoming data word and 
the message timer and the byte timer are greater than 
predetermined values the black box will increment the retry 
counter and re transmit the message to the white box. The 
black box will continue this process until the retry counter 
is greater than a maximum allowable value. Once the retry 
counter reaches a value which is greater than maximum 
allowable value an error condition is displayed on the visual 
display and system 10 initiates a communication error 
process to discern the cause of the error. 

In the preferred embodiment, the second processing area 
is the master communication device and initiates all mes- 
sages. The first processing area is the slave and transmits 
data only when polled by the master. All message data shall 
be encrypted to provide data security. Preferably, each 
incoming data word includes a unique identification signa- 
ture which includes at least one leading bit and at least one 
trailing bit attached to the ends of the data word. By . 
checking the leading and trailing bits of each data word the 
system can discern the validity of the identification signature 
of each data word. Alternatively, each completed packet can 
include a unique identification signature which includes at 
least one leading bit and at least one trailing bit attached to 
the ends of the message. By checking the leading and 
trailing bits of each message the system can discern the 
validity of the identification signature of each message. 

The gaming device 100 includes an input/output device 
122 for reception of a player memory card 280 that the 
device 100 can read and write 10. The device may also 
include a separate stand alone station where the player can 
take the player memory card for a status diagnostic includ- 
ing the relative ranking of the player during the course of 
play or at the end of the set period for play including an 
opportunity to redeem awards associated with player per- 
formance. 

More particularly, and with reference to FIGS. 1 and 2, 
the gaming device 100 is shown according to one form of the 
invention. The gaming device 100 includes a housing 101 
that supports therewithin, a display 50 to an area for receiv- 
ing a wager 52, 54 a place 122 to receive a player memory 
card, a display 120 that allows supplemental information to 
be received thereon, a plurality of decision making buttons 
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102 through 116 and optionally a handle which can be used 
in lieu of one of the decision making buttons in order to 
initiate play of the game. In addition, a payout hopper 56 can 
be included for a redeeming awards based on play in using 
the gaming device 100. 5 

FIG. 8 reflects details of the player memory card 280 and 
its relationship to a read/write machine interface 122 that 
receives the player memory card 280. More particularly, the 
player memory card 280 can be configured as a substantially 
plan rectangular piece of plastic which can include encoding 10 
on a magnetic strip includes an input/output interface 284 
that can be read by the read/write machine interface 122 
shown in FIG. 8. In essence, the input/output interface 284 
is operatively coupled to an integrally formed processor or 
storage unit 286 contained in the player memory card 20 and 15 
the processor or storage unit 286 interfaces with an electri- 
cally erasable programmable read only memory 288 or other 
black box circuitry so that the ongoing status of the player's 
gaming activities can be uploaded and downloaded to and 
from the machine 100. In addition, automatic downloading 
of the player's descriptive information (name, address, 
social security number, etc.) is preferably accomplished 
when the memory card is in the read/write machine interface 
122. This information is used for, inter alia, marketing use 
by the casino. The magnetic strip 282 can include other 
information if desired, such as player identification or a form 
of encryption for detecting the validity of the player memory 
card 280. In addition, the processor 286 and its memory 288 
can be included with encryption or decoding means so that 
appropriate "handshaking" can occur between the machine 
interface 121 and the card 280 to minimize the likelihood of 
cards which have been updated by an improper unauthorized 
technique. 

In use and operation, and referring to FIG. 6, the secure 
processing area 60 includes a processor board 162, a main 
board 164 and a back plane 166 integrally or separately 
formed. The processor board 162 includes a graphics system 
processor 168 which is operatively coupled to the main 
board 164. The main board 164 preferably includes memory 
in the form of ROM, RAM, flash memory and EEPPROM AQ 
(electrically erasable programmable read only memory). 
The ROM includes the EPROM 68. In addition, the main 
board 164 includes a system event controller, the random 
number generator 62, a win decoder/pay table, status 
indicators, a communications handler and a display/sound 45 
generator. 

The main board 164 is operatively coupled to the back 
plane 166 which includes memory preferably in the form of 
an EEPROM and connectors to connect to peripherals. 
Furthermore, the back plane 166 provides a plurality of 50 
communication ports for communicating with external 
peripherals. The back plane 166 provides the coupling 
between discrete inputs 170 and the processor 168 and main 
board 164. Typical examples of elements which provide 
discrete inputs are coin acceptors, game buttons, mechanical 55 
hand levers, key and door switches and other auxiliary 
inputs. Furthermore, the back plane 166 provides the cou- 
pling between discrete outputs 172 and the processor and 
main board 1 64. Typically, elements which provide discreet 
outputs are in the form of lamps, hard meters, hoppers, 60 
diverters and other auxiliary outputs. 

The back plane 166 also provides connectors for at least 
one power supply 174 for supplying power for the second 
processing area 60 and a parallel display interface "PDI" 
176 and a serial interface for linking with the first processing 65 
area 20. The communication link 30 between the black box 
and the white box is via the parallel display interface 176 
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and/or the serial interface 178. In addition, the back plane 
166 also provides connectors for a sound board 180 and a 
high resolution monitor 182. Furthermore, the back plane 
166 includes communication ports for operatively coupling 
and communicating with an accounting means 184, a touch 
screen 186, the bill validator 54, a printer 188, an accounting 
network 190, a progressive current loop 192 and an auxiliary 
serial link 194. 

The back plane 166 optionally includes connectors for 
external video sources 200, expansion busses 202, slot or 
other display means 204, a SCSI port 208 and the card reader 
122 and key pad 123. The back plane 166 also preferable 
includes means for coupling a plurality of reel driver boards 
220 which drive physical slot reels 222 with a shaft encoder 
or other sensor means to the processor 168 and main board 
164. 

Referring to FIG. 7, the white box can be an interactive 
multi-media gaming computer which includes the first pro- 
cessing area 20. The first processing area 20 includes an 
input/output parallel and serial card 22. The input/output 
card 22 is operatively coupled to a first processing area 
processor board 252. The processor board 252 preferably 
includes memory in the form of read only memory, the 
dynamic random access memory 26 and internal alterable 
program storage media 24, for example, flash memory and 
electrically erasable programmable read only memory. In 
addition, the processor board 252 includes a communica- 
tions handler, a display output generator and a sound output 
■generator. The processor board 162 is operatively coupled to 
a video card 250 with video memory which in turn is 
operatively coupled to the visual display means 50, 

The processor board also allows peripherals in the form 
of, for example, hard drives 254, CD ROMS 256, network 
interfaces 258, sound cards 260 and other desirable periph- 
erals 262 for game enhancement and patron entertainment. 

Moreover, having thus described the invention, it should 
be apparent that numerous structural modifications and 
adaptations may be resorted to without departing from the 
scope and fair meaning of the instant invention as set forth 
hereinabove and as described hereinbelow by the claims. 

We claim: 

1. A gaming machine, comprising, in combination: 

a first processor having open architecture to allow recep- 
tion of game formats, a visual display and a commu- 
nication interface; 

a second processor sending encrypted communicating 
data with said first processor via said communicating 
interface, said second processor having closed archi- 
tecture which precludes access to critical gaming func- 
tions and programs; 

said second processor having means for sensing wagering 
activity and means for transmitting a random gaming 
outcome to said first processor to be animated on said 
visual display; 

said second processor provided with means to bestow 
credits as a function of the random gaming outcome. 

2. The gaming machine of claim 1 wherein said second 
processor includes a non-alterable memory means for said 
storing critical gaming functions therein. 

3. The gaming machine of claim 2 wherein said second 
processor includes a random access memory for storing 
accounting and gaming outcome information therein. 

4. The gaming machine of claim 2 wherein said non- 
alterable memory means includes an interface to couple with 
an external program validation device. 

5. The gaming machine of claim 4 wherein said random 
access memory of said second processor includes means for 
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interfacing with an external device validation process for 13. The system of claim 12 wherein said unique identi- 

directly validating the outcome of any game. fication signature includes at least one leading bit and at least 

6. The gaming machine of claim 1 wherein said second one trailing bit attached to ends of said data message, 
processor includes a random number generator for deter- 14 system 0 f claim 13 further including means for 
mining the random gaming output. 5 chc(±i said ^ and said traUi bUs of eacfa data 

7. The gaming machine of claim 1 wherein said first for y of ^ ideQtification si ture 

processor includes an alterable program storage media for 1J? ™ . r i • n t iL ■ T j- c 

r . • . t . u . . r .■ , 15. The system or claim 14 further including means tor 

stonng interactive multi-media gaming functions down- ,., . , , , , , 

loaded from a remote source without interfering with critical validating each data message of each data packet, 

gaming programs and functions stored in the second pro- 10 16 ' A g amm & device for use bv a P la y er comprising: 

cessing area. a visual display accessible to a player; 

8. A method for providing gaming security, the steps a first processing area having an open architecture with 
including: respect to application programming and including a 

sequestering gaming functions into two processing areas microprocessor and an alterable storage media capable 

within one gaming machine, and 15 of being externally alterable without affecting a key 

linking the two processing areas via a security protocol, game function of determining a random game outcome, 

one said processing area having open architecture, the said first processing area coupled to and driving said 

other said processing area having closed architecture. visual display; 

9. The method of claim 8 including forming said two a second p roce ssing area having a closed architecture 
processing area into a first processing area and a second including a non-alterable media for performing said 
processing area, ^ey g arn j n g function of determining a random game 

providing the arst processing area with player stimulus, outcome, said non-alterable media being secure so as to 
providing the second processing area with a response retain the ability for regulatory validation; 
from the player as a function of player stimulus, and 25 an electrical path connecting said first and second pro- 
having the second processing area drive the first pro- ^ areas for communication of said randora game 
cessing area as a result of player response. outcome 
10 Agaming device security system operatively coupled ^ ami devke of claim u wherd[1 said fifSl 

to at least one gaming machine, the system comprising, in . ° ■ < j j- ■ a r j , 

u - .■ processing area includes display software for determining 

combination: 30 ■ , -j ■ i i- i j 

. , , , , , . visual graphics on said visual display; and 

a first processing means operatively coupled to and dnv- . 

ing a visual display and having open architecture; whcrein first P™f ssmg area is externally alterable 

, . via downloading of display software from a source 

a second processing means having closed architecture from second ^ 

operatively coupled to said first processing means and to ... c i • +* • . 

■ *u 'it, i , „,„,„ „,„,„„„i. is 18. The gaming device of claim 16 wherein said second 

communicating therewith only via a secure protocol; . 6 . , , 

, , , , , „ . , processing area includes a microprocessor, 

a P urahty of inputs enabled by a player allowing the 19 ^ { d ^ of ^ u whefdn &aid 

player to initiate and sustain game play on at least the . . . , , , 

r J ° r processing area includes a non-volatile random access 

one gaming machine; r 

... , „ memory, 

said second processing means including means for deter- AQ 2Q ^ m device of daim 19 wherein said non . 

mining random outcomes of game play and means for raDdom ^ m ^ omcome ^ 

transmitting said outcomes to said first processing ma ti on 

means for updating said visual display; „ * ... t , . 1f , . ., . 

r te , 21. The gaming device of claim 16 wherein said second 

a player memory card including memory storage means ssi arca includcs a random niimbcr gcnerator for 

on said card removable from and accessible by said 45 determini id random outcome . 

second processing means to upload and download _ " . j • «■ i ■ 1i: t JL - tj- 

. . * * . » , r , 22. The gaming device of claim 16 further including an 

information between said second processing means and . _ . & & , .. ,., . , °. 

said player memory card reflective of status of an mt ff « for connechon ™<J an external validation device 

ongoing game, whereby a player can discontinue play The gaming device of claim 16 wherein said second 

by storing game information on said memory card and 50 processing area senses wagering activity, 

subsequently resume play in progress by refreshing 24 ■ ^ gaming device of claim 17 wherein said second 

said second processor means in said system. processing area bestows credits as a function of said random 

11. A gaming device security system, comprising in game outcome. 

combination: 25. The gaming device of claim 16 wherein said gaming 

a first processor having open architecture; 55 device * configured as a slot machine. 

, ijus. • i a- 26. The gamine device of claim 16 wherein said electrical 

a second processor having closed architecture including a . 6 6 , 

non-alterable memory means for storing critical gam- P alh 15 a communication link. 

ing functions therein; 21 ■ ^ S amin § device of claun 26 w h e ™n said commu- 

. . ,. ' t . . . , t ., (. , nication link is a serial communication link, 

a communication link operatively coupled to said first ~ , ■ c , . . . 

processor and said second processor for transmitting 60 A 28 " ^ gaming dev 1C e of claim 6 wherein said gaming 

encrypted data packets correlative of said critical gam- device 15 connectable to an external validation device; and 

ing functions and outcomes. wherein said non-alterable media is capable of validation 

12. The system of claim 11 wherein said encrypted data by the external validation device, 
packets include an encrypted data message and a unique 

identification signature to be validated upon receipt. ***** 
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(57) ABSTRACT 

A system and method for determining whether wager data 
for players' wagers placed on a drawing game have been 
altered after winning game elements are drawn includes a 
host computer and a verification device. The host computer 
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SYSTEM AND METHOD FOR A third technique involves writing all wagering informa- 

DETERMINING WHETHER WAGERS HAVE tion to a fixed medium such as a write once removable media 

BEEN ALTERED AFTER WINNING GAME (WORM) drive. Once wagering information has been writ- 

NUMBERS ARE DRAWN ten to the WORM drive, it cannot be altered. This technique 

n a Pi/mm ivtt\ tuc [Mui:Kn'mM s helps to prevent alteration of wagering information, but does 

BACKGROUND OF THE INVENTION no t determine whether any alterations have been made prior 

This invention relates to a system for playing a wagenng t0 writing the wagering information to the WORM drive. A 

game based on a drawing, and in particular, a system for limitation of a WORM drive is that its use requires ensuring 

determining whether wagers have been altered after winning that all wagering information has actually been written to the 

game numbers are drawn. JQ WORM drive prior to drawing the winning game numbers. 

Lottery and keno games are typical wagering games in SUMMARY OF THE INVENTION 

which a gaming authority conducts periodic drawings of . , . t . . , t 

x ~ . • ■ i i l In general, in one aspect, the invention features a system 

winning elements such as winning game numbers. In such . , b x . \ , lt [ , . r , , J 

b . , , . ■ * 1 . for determining whether wager data for players wagers 

games, each player selects a series of game elements e g., Qn a ^ ha & ve been altered after winning 

game numbers chosen from a set of numbers, which the J5 * mmhcTS &jc dfawn A hogt tef storcs lhe wager 

player believes will be drawn during a subsequent drawing dala and generates a first hash value for lhe wager data at a 

of winning game numbers from the set of numbers. For time prior to drawing the w i nn ing game elements, the host 

example, in a lottery game, a player may select six game computer being capable of generating a second hash value 

numbers from the set of integers 1 through 40 which the f or the wager data at a time subsequent to drawing the 

player believes will match six winning game numbers drawn 2Q winning game elements for comparison to the first hash 

by the gaming authority. Similarly, in a keno game, a player value, A verification device receives the first hash value for 

may select 10 game numbers from the set of integers from the wager data prior to drawing the winning game elements 

1 through 80 which the players believes will match 10 out and receives the winning game elements, 

of 20 numbers drawn by the gaming authority. Drawings for Implementations of the invention may also include one or 

lottery games typically occur once or twice a week, while 2J more of the following features. The wager data may include 

drawings for keno games can occur at intervals as short as players' game numbers and wager amounts, 

several minutes. The host computer may generate an intermediate hash 

Drawing games such as lottery and keno games are value prior to generating the first hash value. The host 

typically played using electronic gaming systems. Such computer may generate a transaction hash value for each of 

electronic gaming systems include geographically dispersed 30 the players' wagers. The host computer may generate a first 

gaming terminals for placing players J wagers. The terminals digital signature to uniquely identify the host computer, and 

are connected to a host computer that usually records append the first digital signature to the first hash value, 

wagering information relating to the players' wagers in an The verification device may generate a combination hash 

electronic storage device such as a magnetic medium. value for the winning game elements and the first hash 

For security purposes, an electronic gaming system 35 value, and transmit the combination hash value and the 

requires a mechanism for ensuring that existing wagering winning game elements to the host computer. The host 

information is not altered after the drawing of winning game computer may generate a check hash value for the winning 

numbers to create a fraudulent wager containing game game numbers and the first hash value, and compare the 

numbers thai match the winning game numbers. The alter- check hash value to the combination hash value. The veri- 

ation may be any modification, deletion, addition or corrup- 40 fication device may generate a second digital signature to 

tion of the wagering information. Several methods have uniquely identify the drawing device, and append the second 

been used to determine whether wagering information has digital signature to the combination hash value, 

been altered after a drawing of winning game numbers. The host computer may include a memory for storing lhe 

For games in which drawings occur once a day or less wager data and the first hash value. The system may further 

often, an electronic or printed copy of the wagering infor- 45 include a gaming terminal for generating the wager data, 

mation for all wagers placed on the game can be made and The system may further include a drawing device for 

secured at a remote location before the winning game drawing the winning game elements. The system may also 

numbers are drawn. At any time after the drawing, the secure include an auditing device in communication with the host 

copy of the wagering information can be compared to the computer for generating a third hash value for the wager data 

wagering information stored in the host computer on a 50 and comparing the first hash value to the third hash value, 

record-by-record basis to determine whether any alterations In general, in another aspect, the invention features a 

were made to the wagering information. This technique is method of detecting whether any of a plurality of stored 

time consuming, and is difficult to use with games in which wager data for players' wagers placed on a drawing game 

drawings occur every few minutes. has been altered after winning game elements are drawn. A 

A second technique involves use of an internal control 55 first hash value for the plurality of stored wager data is 

system (ICS) connected to the host computer to perform generated before the winning game elements are drawn. A 

auditing functions. In addition to recording the wagering second hash value for the plurality of stored wager data is 

information for every wager in the host computer, a copy of generated after the winning game elements are drawn. The 

the wagering information for each wager is sent to the ICS. first hash value is compared to the second hash value. 

Before the winning game numbers arc drawn, the ICS must 60 Implementations of the invention may also include one or 

assure that it has received a copy of all wagering information more of the following features. The method may further 

for the game. Thus, there must be no technical failures of the include determining that at least a portion of the plurality of 

system or loss of communication between the gaming ter- stored wager data has been altered based on a comparison of 

minats and the host computer prior to the drawing. To the first hash value and the second hash value. The method 

perform the auditing function properly, the ICS must also be 65 may also include transmitting the first hash value to an 

able to determine independently that the winning game independent location before the winning game elements are 

numbers have not been drawn when the last wager is placed. drawn. 
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The first hash value and the second hash value may be 
generated using a one-way hashing function. The method 
may include generating an intermediate bash value based on 
a portion of the plurality of stored wager data prior to 
generating the first hash value. The method may also include 
generating a transaction hash value based on the stored 
wager data for each of the players' wagers. 

In general, in another aspect, the invention features a 
method of securing a plurality of wager data for players 1 
wagers placed on a drawing game. A wager data hash value 
for the plurality of wager data is generated at a first location. 
The wager data hash value is sent to a second location. The 
winning game elements are drawn. A combination hash 
value for the wager data hash value and the winning game 
elements is generated at the second location. The winning 
game elements and the combination hash value are trans- 
mitted to the first location. 

Implementations of the invention may also include one or 
more of the following features. The method may include 
generating a check hash value for the wager data hash value 
and the winning game elements at the first location, and 
comparing the combination hash value to the check hash 
value. The method may also include appending a digital 
signature to the combination hash value at the second 
location. 

An advantage of the present invention is that alterations of 
wager data after drawing the winning game numbers can be 
detected without having to make a copy of all of the wager 
data before the winning game numbers are drawn and 
without having to make a record-by-record comparison of 
the wager data before and after the drawing. 

An additional advantage of the present invention is that 
alteration of wager data may be easily detected by a com- 
puter with limited processing and storage capacities. 

A further advantage of the present invention is that wager 
data may be secured prior to drawing the winning game 
numbers for a game having any drawing frequency and 
using any drawing method, e.g., manual or electronic. 

Other features and advantages of the invention will 40 
become apparent from the following detailed description, 
and from the claims. 



25 



30 



35 



BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a diagrammatic sketch of a gaming system 
according to the present invention. 

FIGS. 2A and 2B are a flow chart showing the operation 
of the gaming system of FIG. 1. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

The present invention relates to the use of hash values and 
digital signatures to enhance the security of wager data for 
a drawing game. A unique hash value for the wager data is 
generated before the winning game numbers are selected. If 
the wager data is altered after the winning game numbers 
have been selected, a hash value subsequently generated for 
the altered wager data will not match the original hash value 
for the wager data. 

A hash value is a fixed numerical value or string of digits 
generated from text, i.e., a string of text characters. The hash 
value is a numerical representation of the contents of the 
text, and is smaller than the text in that it may be stored in 
less memory space than the text itself. The hash value is 
preferably generated by a one-way hashing function, which 
is a formula or algorithm applied to the text for which it is 
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extremely unlikely that the same hash value will result from 
applying the hashing function to a different text. 

A digital signature is a digital code attached to an elec- 
tronically transmitted message that uniquely identifies the 
sender of the message. A one-way hashing function may be 
used to create the digital signature. 

FIG. 1 shows a gaming system 10 for determining 
whether wagers have been altered after winning game 
numbers have been drawn. FIGS. 2A and 2B are a flow chart 
showing a method 100 of operating gaming system 10 to 
determine whether wagers have been altered after winning 
game numbers have been drawn. 

Gaming system 10 includes a gaming terminal 20, a host 
computer 30, and a verification device 40. These compo- 
nents of gaming system 10 may communicate with each 
other over a network 35, Network 35 is preferably a secure, 
private network. Network 35 may also be the Internet or any 
communications network such as a dial-up, hard-wired or 
wireless digital network. Any data, messages or files trans- 
mitted over network 35 may be encrypted for security. 

A player places a wager for a drawing game at gaming 
terminal 20 (step 110). For example, the player may tender 
a wager amount in the form of cash money to an operator of 
the gaming terminal in exchange for a gaming ticket printed 
by the gaming terminal including the player's game numbers 
and the wager amount. System 10 may also include a 
plurality of similar gaming terminals 22 ... 24 connected 
over network 35. 

Gaming terminal 20 generates wager data including the 
player's game numbers and wager amount (step 120). The 
player's game numbers may be selected by the player or 
chosen randomly, e.g., using a random number generator 26 
to perform a "quick -pick" function. The wager data may also 
include other data pertaining to the player's wager, such as 
the amount wagered, the date of the wager, the game for 
which the wager was made, the location of gaming terminal 
20, the name of the player, non-wager transactions and 
wager pool totals. 

Wager data generated by gaming terminal 20 is transmit- 
ted to host computer 30 over network 35 (step 130). Host 
computer 30 includes a processor 32 and a memory 34 for 
processing and storing data transmitted to the host computer 
from gaming terminal 20, Memory 34 further includes a 
journal file 36 for storing data pertaining to gaming trans- 
actions processed by the host computer. 

At some point before winning game numbers are drawn 
for a drawing game, all wagering for the game is stopped 
(step 140). In the meantime, host computer 30 accumulates 
all of the wager data for a particular game in journal file 36 
(step 150). Processor 32 applies a hashing function to 
generate a wager data hash value HI for at least the game 
numbers and wager amounts of all of the players' wagers for 
the game (step 160). The hashing function is preferably a 
one-way hashing algorithm and can be, e.g., MD5, SHA, or 
any other strong cryptographic method. The wager data hash 
value HI is stored in memory 34 (step 170). 

If there is too much wager data to handle quickly or 
efficiently, or if too much time is required to generate the 
wager data hash value HI, then intermediate hash values 
hi . . . h3 may be generated at predetermined intervals for 
portions of the wager data being accumulated for the game 
(step 152). Each intermediate hash value hi . . . h3 may be 
generated based on all of the new wager data pertaining to 
wagers made during a time interval as well as the interme- 
diate hash values generated during previous intervals. 

If sufficient calculating time is available, it may also be 
possible to generate a transaction hash value Tl . . . T2 for 
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each individual wager (step 154). Thus, the transaction hash 
value is calculated from a subset of all of the wager data 
generated for the drawing game. The transaction hash values 
Tl . . . T2 may then be stored in journal file 36 along with 
the wager data, with intermediate hash values hi ... h2, or 
with wager data hash value HI. Storing transaction hash 
values Tl . . . T2 provides a simple way of determining 
which transactions may have been altered. 

Host computer 30 may also create a digital signature SI 
based on wager data hash value HI to uniquely identify the 
host computer. The digital signature may be created using a 
cryptographic signature algorithm, e.g., DSS. Digital signa- 
ture SI is stored in memory 34 and appended to wager data 
hash value HI (step 180). 

Verification device 40 is an independent location which 
receives the wager data hash value. Verification device is 
associated with one or more drawing devices 46, 48, which 
draw the winning game numbers. Verification device 40 may 
also include a processor 41 and a memory 42. 

Host computer 30 transmits wager data hash value HI 
with appended digital signature SI to verification device 40 
prior to the drawing of the winning game numbers (step 
190). By checking digital signature SI, e.g., using public key 
cryptography, verification device 40 can verify that the 
wager data hash value was sent by the correct host computer. 

After the wager data hash value has been received and 
digital signature SI has been verified, winning game num- 
bers Nl . . . N6 for the drawing game are selected by drawing 
device 46 and transmitted to the verification device (step 
210). Verification device 40 may store the winning game 
numbers in memory 42 and transmit the winning game 
numbers to host computer 30, which stores the winning 
game numbers in the memory 34 (step 220), and to a 
distribution medium 50 for transmitting the winning game 
numbers to the players of the game by, e.g., closed-circuit 
television, publicly -accessible television or printed publica- 
tion (step 230). 

Verification device 40 also uses a hashing function to 
generate a combination hash value H2 based on both the 
wager data hash value HI and the winning game numbers 
Nl . . . N6 (step 240). Verification device 40 transmits 
combination hash value H2 to host computer 30 (step 260). 
The verification device may also create a digital signature S2 
based on combination hash value H2 and append digital 45 
signature S2 to the combination hash value so that host 
computer 30 can verify the authenticity of the verification 
device that transmitted the winning game numbers (step 
250). 

After receiving the winning game numbers from verifi- 
cation device 40, host computer 30 verifies that the winning 
game numbers were transmitted by the correct verification 
device. Host computer 30 then applies a hashing function to 
both wager data hash value HI and winning game numbers 
Nl . . . N6 to generate a check hash value H3 (step 280). The 
host computer authenticates the winning numbers Nl . . . N6 
received from the verification device by comparing combi- 
nation hash value H2 to check bash value H3 (step 290). If 
these hash values are the same, then the winning game 
numbers Nl . . . N6 received by host computer 30 are 
deemed to be authentic. 

To determine whether any wager data for the drawing 
game has been altered, the hash value for the wager data may 
be recalculated at any time for the wager data stored in 
journal file 36 (step 300), and compared to the original 
wager data hash value HI (step 310). It would be nearly 
impossible to alter any of the wager data without affecting 
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the recalculated hash value for the wager data. If the 
recalculated hash value for the wager data differs from the 
original wager data hash value HI, then the gaming author- 
ity may conclude that some of the wager data has been 
altered. The gaming authority may then search through the 
stored wager data to determine which portion of wager data 
was altered. 

The data stored in memory 34 and the contents of journal 
file 36 may also be copied and transmitted to an independent 
auditing device 60, e.g., by digital electronic transmission or 
by physical delivery of the data. Auditing device 60 uses 
wager data hash value HI, combination hash value H2, 
winning game numbers Nl . . . N6, the original wager data 
or transaction hashes Tl . . . T2, and digital signature S2 of 
verification device 40 to verify the following: 

1. Only correct wagers were included in the drawing 
game, and none of the wager data was altered; 

2. Hie verification device that transmitted the winning 
game numbers was the correct verification device; and 

3. The winning game numbers transmitted by the verifi- 
cation device were the same as those recorded in the 
journal file. 

Either host computer 30 or auditing device 60 may 
recalculate the hash value for the wager data at any time to 
ensure that none of the wager data was altered and that no 
wagers were made after the original wager data hash value 
HI was sent to verification device 40. 

Other embodiments are within the scope of the following 
claims. 

What is claimed is; 

1. A system for determining whether wager data for 
players' wagers placed on a drawing game have been altered 
after winning game elements are drawn, comprising: 

a host computer for storing the wager data and generating 
a first hash value for the wager data at a time prior to 
drawing the winning game elements, the host computer 
being capable of generating a second hash value for the 
wager data at a time subsequent to drawing the winning 
game elements for comparison to the first hash value; 
and 

a verification device for receiving the first hash value for 
the wager data prior to drawing the winning game 
elements and for receiving the winning game elements; 

wherein the verification device generates a combination 
hash value for the winning game elements and the first 
hash value, and transmits the combination hash value 
and the winning game elements to the host computer. 

2. The system according to claim 1 wherein the wager 
data includes players' game numbers and wager amounts. 

3. The system according to claim 1 wherein the host 
computer generates an intermediate hash value prior to 
generating the first hash value. 

4. The system according to claim 1 wherein the host 
computer generates a transaction hash value for each of the 
players' wagers. 

5. The system according to claim 1 wherein the host 
computer generates a first digital signature to uniquely 
identify the host computer, and appends the first digital 
signature to the first hash value. 

6. The system according to claim 5, and further compris- 
ing a drawing device for drawing the winning game 
elements, wherein the verification device generates a second 
digital signature to uniquely identify the drawing device, 
and appends the second digital signature to the combination 
hash value. 

7. The system according to claim 1 wherein the host 
computer generates a check hash value for the winning game 
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elements and the first hash value, and compares the check 
hash value to the combination hash value. 

8. The system according to claim 1 wherein the host 
computer includes a memory for storing the wager data and 
the first hash value. s 

9. The system according to claim 1 further comprising 
a gaming terminal for generating the wager data. 

10. The system according to claim 1 further comprising 
a drawing device for drawing the winning game elements. 

11. The system according to claim 1 further comprising 30 
an auditing device in communication with the host com- 
puter for generating a third hash value for the wager 
data and comparing the first hash value to the third hash 
value. ]S 

12. A method of detecting whether any of a plurality of 
stored wager data for players 5 wagers placed on a drawing 
game has been altered after winning game elements are 
drawn, comprising: 

generating a first hash value for the plurality of stored 2 o 
wager data before the winning game elements are 
drawn; 

generating a second hash value for the plurality of stored 
wager data after the winning game elements are drawn; 

comparing the first hash value to the second hash value; 25 
and 

generating a combination hash value for the winning 
game elements and the first hash value. 

13. The method of claim 12 further comprising ^ 
determining that at least a portion of the plurality of stored 

wager data has been altered based on a comparison of 
the first hash value and the second hash value. 

14. The method of claim 12 further comprising 
transmitting the first hash value to an independent loca- 35 

tion before the winning game elements are drawn. 

15. The method of claim 12 wherein the first hash value 
and the second hash value are generated using a one-way 
hashing function. 
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16. The method of claim 12 further comprising 
generating an intermediate hash value based on a portion 

of the plurality of stored wager data prior to generating 
the first hash value. 

17. The method of claim 12 further comprising 
generating a transaction hash value based on the stored 

wager data for each of the players' wagers. 

18. The method of claim 12 further comprising 
generating a check hash value for the winning game 

elements and the first hash value; and 
comparing the combination hash value to the check hash 
value. 

19. A method of securing a plurality of wager data for 
players' wagers placed on a drawing game, comprising: 

generating a wager data hash value for the plurality of 
wager data at a first location; 

sending the wager data hash value to a second location; 

drawing the winning game elements; 

generating a combination hash value for the wager data 
hash value and the winning game elements at the 
second location; and 

transmitting the winning game elements and the combi- 
nation hash value to the first location. 

20. The method of claim 19 further comprising 
generating a check hash value for the wager data hash 

value and the winning game elements at the first 
location; and 

comparing the combination hash value to the check hash 
value. 

21. The method of claim 19 further comprising 
appending a digital signature to the combination hash 

value at the second location. 

***** 
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